Identity Authentication
Web App External User Authentication
This authentication method is designed for Web Apps with publishing permissions set to “Authenticated External Users”. External users can access Web Apps through authentication without needing to register Dify Enterprise accounts.
Configure based on your specific identity provider. For detailed setup instructions, see Configure SSO Authentication.
External users are individuals who are not part of your Dify Enterprise system.This authentication method enables organizations to control application access while monitoring and managing external users through third-party identity providers. Use Cases Consider a scenario where IT staff have built AI assistants for company employees, but not everyone has joined the Dify Enterprise system. However, all employees exist in a third-party identity provider. External user authentication allows these users to access applications through SSO without Dify registration. This approach is ideal when providing AI services to customers, partners, or other external stakeholders.
Authentication Process
1
User Access
User clicks on the web application link
2
Automatic Redirect
System redirects to your configured SSO login page
3
Identity Verification
User authenticates through your identity provider
4
Authorization Callback
Upon successful authentication, user returns to the application
5
Start Using
User accesses the Web App and begins using the service
Configuration Steps
Prerequisites
Before you begin, verify that:- Dify Enterprise is deployed and running
- You have system administrator access
- Your SSO identity provider is configured and ready
Step 1: Configure SSO Identity Provider
- Access the Dify Enterprise Admin Console
- Go to Identity Authentication → Web App External Users
- Click Configure in the “SSO Identity Provider” section
Configure based on your specific identity provider. For detailed setup instructions, see Configure SSO Authentication.
Step 2: Enable External User Authentication
- Once configuration is complete, locate the Enable SSO toggle
- Switch it to On
If SSO is configured but not enabled, the Authenticated External Users option will be unavailable in Web App publishing permissions. Learn more about this in Application Access Permission Management.
Step 3: Test Authentication Configuration
- Set Web App permissions to Authenticated External Users during publishing
- Share the Web App URL with external users
- Verify proper redirection to the SSO login page
- Test the complete login flow with a test account
- Confirm successful Web App access
Common Issues
Access denied when accessing Web App
Access denied when accessing Web App
Possible Causes:
- SSO configuration not enabled
- Identity provider configuration error
- Network connection issues
- Contact your system administrator to verify SSO configuration at System Settings → Identity Authentication → Web App External User Verification
- Ensure the user exists in your third-party identity provider’s member list
Cannot redirect to SSO login page
Cannot redirect to SSO login page
Possible Causes:
- SSO configuration not enabled
- Identity provider configuration error
- Network connection issues
- Verify SSO is enabled
- Review identity provider configuration
- Test network connectivity and DNS resolution
- Review system error logs
Cannot return to Web App after SSO login
Cannot return to Web App after SSO login
Possible Causes:
- Incorrect callback address configuration
- Token verification failure
- Insufficient user permissions
- Verify callback URL configuration in your identity provider. Find the correct URL at Admin Console → Identity Authentication → Web App External Users
- Confirm the client secret is correct
- Check user permissions in your identity provider
Some users cannot authenticate through SSO
Some users cannot authenticate through SSO
Possible Causes:
- User account disabled
- Permission group configuration issues
- Attribute mapping mismatch
- Verify user account status in your identity provider
- Review user’s organizational structure and permission assignments
- Update attribute mapping configuration